Trik Spam Botnet Leaks 43 Million Email Addresses

A security researcher from Vertek has discovered that the Trik spam botnet has leaked a 43 million email addresses that were compromised by the Trik trojan. The group behind the malware had left its server wide open to anyone that accessed their IP address directly.

What Is The Trik Trojan?

For all intents and purposes, the Trik Trojan is your classic malware. Once run, it adds the machine to a massive botnet. All the infected machines are used to send out new spam campaigns or sell on the power to other cybercriminals.

Trik has been around for at least a decade but according to a recent report, has seen a resurgence in recent years. It spread via a worm via USB devices, Skype, and Windows Live Messenger chats. Though the older variants were known as Phorpiex.

It then graduated into a fully-fledged piece of malware when it forked the codebase of the SDBot trojan.

The Email Leaks

The server leaked exactly 43,555,741 unique email addresses. The researcher that discovered the leak is currently working the Have I been Pwned service to figure out how many of these email addresses have been previously compromised in other leaks.

The email addresses ranged from your bog standard .com all the way up to .gov addresses, showing how prolific this malware is. The researcher shared some more info about the kind of email addresses that were compromised with Bleeping Computer.

It turns out most of the emails were from older email services such as Yahoo and AOL with 10.6 million and 8.3 million addresses represented respectively. Interestingly, not many Gmail addresses were compromised, suggesting that the database is either incomplete or the malware intentionally targeted users of older email services.

Leaky Malware Developers

The group behind the Trik malware has misconfigured their server, meaning that anyone with the IP address could access it. On the server, the security researcher found 2201 text files with roughly 20,000 email addresses each.

Because the server was wide open, anybody could have access to these files. This means any number of cybercriminals could have their hands on these email addresses, not just the botnet operators.

Not The First-time Botnets Have Leaked Account Details

In August of last year, the Onliner spam botnet managed to leak an eye-watering 711 million email addresses that were being used to spam users. It worked by hacking a huge number of insecure and outdated websites and making them host a PHP script that would be used to send spam to users.

The spam Onliner would send to email addresses was banking malware that infected more than 100,000 different devices. The spammer even managed to bypass smarter filters for inboxes using multiple different SMTP servers, many of which he found through a number of different previous hacks.

The emails contained a hidden pixel-sized image that when the email is opened, sends back an IP address and user-agent information. This means that the spammer now knows the type of computer, operating system, and other important information.

The 711 million leaked emails are still the biggest leak to make its way onto the Have I been Pwned service.

Conclusion

This won’t be the last time we see a huge breach, so it is vitally important that users are vigilant with spam. If you suspect a possible email, don’t take the chance and get rid of it immediately. The likes of Trik will only grow bigger as time goes on, don’t become part of that list.